Add permissions policy to the EKS nodegroup IAM role for Nomad Autosc…

…aler
CircleCI-Public · Oct 4, 2023 · 2855435 · 2855435
1 parent 4388a74
commit 2855435
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -58,10 +58,10 @@ We love contributions! Here is how to get started:
 - Once your work is complete, you may create a PR for your branch
 - Each commit is tested for formatting and syntax errors
 - We test PRs in our own test environments
-- PRs are reviewed and approved by members of CircleCI's Server team
+- PRs are reviewed and approved by members of CircleCI's [On-Prem team](https://github.com/orgs/CircleCI-Public/teams/on-prem)
 
 ### Reporting Issues
 
 - Feature requests or problems found may be reported by creating an issue
   within this repository
-- CircleCI's Server team will review and respond to issues.
+- CircleCI's [On-Prem team](https://github.com/orgs/CircleCI-Public/teams/on-prem) will review and respond to issues.
diff --git a/nomad-aws/README.md b/nomad-aws/README.md
@@ -33,7 +33,7 @@ module "nomad_clients" {
   subnet = "<< ID of subnet you want to run nomad clients in >>"
   vpc_id = "<< ID of VPC you want to run nomad client in >>"
 
-  server_endpoint = "<< hostname of server installation >>"
+  nomad_server_hostname = "<< hostname of server installation >>"
 
   dns_server = "<< ip address of your VPC DNS server >>"
   blocked_cidrs = [
@@ -46,6 +46,10 @@ module "nomad_clients" {
   }
   nomad_auto_scaler = false # If true, terraform will generate an IAM user to be used by nomad-autoscaler in CircleCI Server.
 
+  # If `nomad_auto_scaler` is enabled, `nodegroup_iam_role` should be populated with the EKS nodegroup IAM role name associated with the EKS cluster the Nomad Autoscaler is deployed on.
+  # This ensures an IAM policy is created with the minimum permissions required by the Nomad Autoscaler.
+  nodegroup_iam_role = null
+
   # enable_irsa input will allow K8s service account to use IAM roles, you have to replace REGION, ACCOUNT_ID, OIDC_ID and K8S_NAMESPACE with appropriate value
   # for more info, visit - https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html
   enable_irsa = {}
@@ -96,6 +100,7 @@ There are more examples in the [examples](./examples/) directory.
 | [aws_iam_access_key.nomad_asg_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
 | [aws_iam_instance_profile.nomad_client_profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
 | [aws_iam_role.nomad_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.nomad_nodegroup_iam_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_user.nomad_asg_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
 | [aws_iam_user_policy.nomad_asg_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
 | [aws_key_pair.ssh_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |
@@ -123,6 +128,7 @@ There are more examples in the [examples](./examples/) directory.
 | <a name="input_machine_image_names"></a> [machine\_image\_names](#input\_machine\_image\_names) | Strings to filter image names for nomad virtual machine images. | `list(string)` | <pre>[<br>  "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"<br>]</pre> | no |
 | <a name="input_machine_image_owners"></a> [machine\_image\_owners](#input\_machine\_image\_owners) | List of AWS account IDs that own the images to be used for nomad virtual machines. | `list(string)` | <pre>[<br>  "099720109477",<br>  "513442679011"<br>]</pre> | no |
 | <a name="input_max_nodes"></a> [max\_nodes](#input\_max\_nodes) | Maximum number of nomad clients to create. Must be greater than or equal to nodes | `number` | `5` | no |
+| <a name="input_nodegroup_iam_role"></a> [nodegroup\_iam\_role](#input\_nodegroup\_iam\_role) | The IAM role name for the EKS nodegroup associated with the EKS cluster the Nomad Autoscaler is deployed on.<br>    This should be populated if `nomad_auto_scaler` is enabled,<br>    and it ensures an IAM policy is created with the minimum permissions required by the Nomad Autoscaler. | `string` | `null` | no |
 | <a name="input_nodes"></a> [nodes](#input\_nodes) | Number of nomad clients to create | `number` | n/a | yes |
 | <a name="input_nomad_auto_scaler"></a> [nomad\_auto\_scaler](#input\_nomad\_auto\_scaler) | If set to true, A Nomad User or A Role will be created based on enable\_irsa variable values | `bool` | `false` | no |
 | <a name="input_nomad_server_hostname"></a> [nomad\_server\_hostname](#input\_nomad\_server\_hostname) | Hostname of RPC service of Nomad control plane (e.g circleci.example.com) | `string` | n/a | yes |

diff --git a/nomad-aws/nomad-autoscaler.tf b/nomad-aws/nomad-autoscaler.tf
@@ -38,4 +38,13 @@ resource "aws_iam_role" "nomad_role" {
     })
   }
   tags = local.tags
-}
+}
+
+resource "aws_iam_role_policy" "nomad_nodegroup_iam_role_policy" {
+  # Only create the IAM policy if the Nomad Autoscaler is enabled and the nodegroup IAM role name is provided.
+  count = var.nomad_auto_scaler ? (var.nodegroup_iam_role != null ? 1 : 0) : 0
+
+  name   = "${var.basename}-nomad-nodegroup-iam-role-policy"
+  role   = var.nodegroup_iam_role
+  policy = templatefile("${path.module}/template/nomad_nodegroup_iam_role_policy.tpl", {})
+}
diff --git a/nomad-aws/template/nomad_nodegroup_iam_role_policy.tpl b/nomad-aws/template/nomad_nodegroup_iam_role_policy.tpl
@@ -0,0 +1,18 @@
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"autoscaling:CreateOrUpdateTags",
+				"autoscaling:DescribeAutoScalingGroups",
+				"autoscaling:DescribeScalingActivities",
+				"autoscaling:TerminateInstanceInAutoScalingGroup",
+				"autoscaling:UpdateAutoScalingGroup"
+			],
+			"Resource": [
+				"*"
+			]
+		}
+	]
+}
diff --git a/nomad-aws/variables.tf b/nomad-aws/variables.tf
@@ -123,7 +123,7 @@ variable "role_name" {
   default     = null
 }
 
-# Check for IRSA Role (more details)  - https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html
+# Check for IRSA Role (more details)  - https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html
 #   enable_irsa  = {
 #                  oidc_principal_id  = "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>"
 #                  oidc_eks_variable  = "oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>:sub"
@@ -141,6 +141,17 @@ variable "enable_irsa" {
   description = "If passed a valid OIDC MAP, terraform will create K8s Service Account Role to be used by nomad autoscaler."
 }
 
+variable "nodegroup_iam_role" {
+  type    = string
+  default = null
+
+  description = <<EOF
+    The IAM role name for the EKS nodegroup associated with the EKS cluster the Nomad Autoscaler is deployed on.
+    This should be populated if `nomad_auto_scaler` is enabled,
+    and it ensures an IAM policy is created with the minimum permissions required by the Nomad Autoscaler.
+  EOF
+}
+
 variable "disk_size_gb" {
   type        = number
   default     = 100